Navigation

Authenticating a Cisco Device against FreeRADIUS

Introduction

There are many ways to authenticate users on Cisco devices. The most basic way is setting a password on the "vty" and "console" lines and then setting the "login" switch. This is also very insecure, and nearly impossible to audit. Another way is to create a local AAA database and authenticate against that database with a user and password on each switch. This works if you only have one switch or router in your network. If you happen to have more than that, this becomes cumbersome to maintain the list of users and passwords on each and every device. To avoid this problem there are several options out there to authenticate against a centralized user and password database. A centralized database makes it simpler to add and remove users, conduct audits, and maintain access controls. This can be accomplished by a Radius Server or a Cisco TACACS+ Server. Cisco provides a document on the differences between these two methods (http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml).

There are many different radius servers out there. If you are using Active Directory in your organization you may want to consider IAS or in newer versions of Windows Server, NPS. If you are familiar with Linux you may want to consider FreeRADIUS. FreeRADIUS also gives you the ability to use Free Dual Factor Authentication via Google Authenticator (FreeRADIUS Google Dual Factor Authenticator). For the purposes of this tutorial, we will use Ubuntu 12.04 and FreeRADIUS.

FreeRADIUS is a popular open source radius server. Radius is a standardized authentication system that can be used to authenticate many different devices including VPNs, Routers, Switches, Computers, and much more. For more information on FreeRADIUS see http://freeradius.org/.

Tutorial

Now, how to set it up.

For the purpose of this tutorial I will be using Ubuntu 12.04 Server, but this should be able to adapt to many different distributions.

Install FreeRADIUS

sudo bash

apt-get update

apt-get install freeradius

Environment

Right now, my switch is very basic. All I have done is give it a IP address, set a login password to 'password', and enable password to 'cisco'. I certainly recommend you use something much more complex than that. Essentially it looks like this:

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

enable password cisco

!

!

!

no aaa new-model

system mtu routing 1500

!

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

switchport access vlan 100

!

interface Vlan1

no ip address

shutdown

!

interface Vlan100

ip address 10.0.0.10 255.255.255.0

!

ip http server

ip http secure-server

!

line con 0

password password

login

line vty 0 4

password password

login

line vty 5 15

password password

login

!

end

My FreeRADIUS server is attached directly to interface GigabitEthernet 0/2. The switch has a IP address of 10.0.0.10 and the server has a IP address of 10.0.0.5. /etc/network/interfaces looks like this:

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto eth0

iface eth0 inet dhcp

auto eth1

iface eth1 inet static

address 10.0.0.5

netmask 255.255.255.0

Now that you understand how everything is connected, lets move forward and get it working.

Configuring FreeRADIUS

Configuring the clients.conf file

The first item that you need to take care of is to tell FreeRADIUS about the Cisco switch. To do this we will need to edit the /etc/freeradius/clients.conf file.

and add the following lines to the bottom of the file:

client 10.0.0.10 {

secret = mysupersecretpassword2

}

This defines a client secret. When you select yours, you ought to do something more complex than what you see here, but for this tutorial we will just use "mysupersecretpassword2". When FreeRADIUS receives a connection from a client, the client will use its RADIUS chared secret encrypt the credentials to send to FreeRADIUS that will be used to authenticate the client. Because of this, we will need to remember to use the same shared secret on the switch when we configure it.

Configuring the users file

Next up, we will need to add a user to be used for authenticating on the device. To do this we will need to edit the /etc/freeradius/users file. There are other ways of doing this rather than adding static users in the users file. You can also use the local unix password database or any PAM module to authenticate your users, but for the purposes of this tutorial we will simply add a user in the users file.

Right at the top of the file you should see something like this:

#

# Please read the documentation file ../doc/processing_users_file,

# or 'man 5 users' (after installing the server) for more information.

# If you use the database support to turn this file into a .db or .dbm

# file, the DEFAULT entries _have_ to be at the end of this file and

# you can't have multiple entries for one username.

#

# Indented (with the tab character) lines following the first

# line indicate the configuration values to be passed back to

# the comm server to allow the initiation of a user session.

# This can include things like the PPP configuration values

# or the host to log the user onto.

#

# You can include another `users' file with `$INCLUDE users.other'

#

#

# For a list of RADIUS attributes, and links to their definitions,

# see:

#

# http://www.freeradius.org/rfc/attributes.html

#

Directly after this, add these lines:

radcisco Cleartext-Password := "password"

Now you have added a user called "radcisco" with a password "password". Once again, do something more complex than this, when you actually use this. :)

Restart FreeRADIUS

Your FreeRADIUS server is now completely configured and you will need to restart or reload the configuration.

service freeradius restart

Configuring the Cisco Switch

You now need to login to your switch and make the necessary configuration changes. One of the things you will likely want to do is also set a local AAA user, just in case your radius server goes down or becomes unreachable. Otherwise you will be locked out of your device. You should keep the credentials for this user a secret and not use them yourself unless the radius server is down. Infact, they will not work at all unless the radius server is down or unreachable. For the purpose of this tutorial we will make a local AAA user called "admin" with a password of "p@ssw0rd".

Login to your device and issue the following commands. Make sure you are already in enable mode.

You will also notice that we configured the radius server with the shared secret that we used before "mysupersecretpassword2". The final line tells the switch which AAA authentication service to use first. You'll notice that it attempts to use the radius group first and then the local group second.